Set stricter PHP settings to secure joomla and wordpress installations

If you run a Joomla or WordPress installation with mod_php, the following settings in the vhost configuration file or the "Apache directives" field in ISPConfig can be used to set a stricter security policy. This helps limit the impact of a possible hack to this website and protect the other sites on the server.

php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
php_admin_flag allow_url_fopen Off
php_admin_value session.save_path "/var/www/webXXX/phptmp/"
php_admin_value open_basedir "/var/www/webXXX/:/tmp"

Explanation

disable_functions disables functions that have a potential security impact e.g. because they allow the execution of external applications.

allow_url_fopen disables the ability to open files via an URL.

session.save_path sets the path where PHP stores its session files. For ISPConfig 2, the path is e.g. "/var/www/webXXX/phptmp/" and for ISPConfig 3 the path is like "/var/www/clients/client1/web1/tmp/" If you don't use ISPConfig, set this path to a directory which is writable for the webserver user. the directory should be unique for every website.

open_basedir sets the path where PHP scripts are allowed to open files. For ISPConfig 2, the path is likeĀ  "/var/www/webXXX/" and for ISPConfig 3 the path is like "/var/www/clients/client1/web1/" If you don't use ISPConfig, set this path to the root directory of this vhost. With :/tmp we allow PHP scripts to use also the /tmp directory of the server.

1 thought on “Set stricter PHP settings to secure joomla and wordpress installations”

Leave a Comment

*